Data Protection Regulation and the Politics of Interoperability

The United States Government is taking its stance pressuring the European Union to weaken its new strengtened data protection bill. The European Union has a history of strong data protection standards, emboldened by the European Charter’s explicit provisions upholding data protection as a fundamental right. European Digital Rights (EDRi) revealed today awidespreadU.S. lobbying effort against the November 29thleakedversion of the legislative proposal for a Data Protection Regulation (DPR). DPR will repeal the existingEUDataProtectionDirective, which details regulations regarding personal data processing within the European Union, and is due for official release on January, 25th 2012.

The U.S. lobbying efforts include phone calls and correspondence from senior figures in the U.S. Department of Commerce to top-level staff at the European Commission regarding a broad range of topics. An "informal note" was circulated, articulating U.S. concerns about DPR, which complained that the draft proposal “will break with international standards” and could “undermine” global interoperability between different privacy “regimes” around the world.

Some of the U.S. criticisms are fair. For instance, under the First Amendment, older minors possess greater rights than pre-adolescents, and should not be treated the same way. Similarly, the “right to be forgotten” creates free expression tensions. The U.S. position on interoperability, however, is of concern.

The U.S. - EU Safe Harbor Framework was cited as an example of a bilateral interoperability program. The Framework is an agreement between the European Commission and the United States Department of Commerce, whereby companies can join the Safe Harbor to demonstrate--in theory--compliance with the strong protection afforded by the EU Data Protection Directive.1 The framework was widely criticized in 2002, 2004, and 2008 for its lack of effectiveness to protect privacy. For many, the Safe Harbor represents a weak compromise between the comprehensive legislative model selected by the European Union, versus the self–regulatory model adopted by the U.S. which fails to meaningfully protect privacy (Read here, here and here to learn more about the criticisms against the Safe Harbor Framework).

In today’s statement, EDRicriticizes the U.S.’s own global interoperability work. In practice, EDRi said, that the concept of “interoperability” has often meant that data is simply being transferred to the U.S., where there are no data protection laws that would protect the data of non-U.S. persons. The concept of interoperability remains contested and in flux as discussed at the recent OECDPrivacyConferenceinMexico, where EFF representedCSISAC. In that meeting, we voiced concern over the concept of “interoperability”, arguing that it should not be used as a way to circumvent strong privacy safeguards. Recent incidents of high profile privacy invasions and subsequent public outcries demonstrate a general erosion of users’ trust and indicate a pressing need for strong and consistent privacy protections. During the same meeting, Mme Françoise Le Bail of the European Commission also emphasized that interoperability must not be promoted at the expense of high standards.

Nigel Waters of Privacy International said, "interoperability must not be allowed to justify purely self regulatory models that lack credibility." In the United States, self-regulation has failed to protect users' privacy expectations, especially given the increasing commodification of personal data. A U.S. study hasshown that self-regulatory privacy programs emerge only when companies feel threatened by potential legislation, but dissipate when companies believe that the threat has passed. Such an approach fails to address user trust issues or adequately protect privacy rights in the United States.

This ongoing process requires continued vigilance of vested interests intent on promoting a watered-down version of privacy protections in the name of interoperability. According to EDRi, U.S. lobbying effort are aimed at weakening proposed privacy standards established in the DPR, based on objections that are “flawed” and “interest-driven”. It must be noted that data protection laws are no longer a European phenomenon. A study done by Graham Greenleaf shows that there are now 29 legal frameworks that protect privacy outside Europe, 78 national data privacy laws in total. Despite these efforts, the U.S. government has still failed to implement OECD Privacy Guidelines into their national law.

EFF will be monitoring the current negotiations to review existinginternationalprivacyinstruments at theOECD, theCouncilofEuropeand theEuropeanUnion. 2012 will be a key year for data protection. We must keep our eyes open to make sure the U.S. government does not force the worst of its policies -- that are detrimental to user privacy rights -- into the international fora.

Related Updates

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the...

When she went to Egypt for vacation, Mona el-Mazbouh surely didn’t expect to end up in prison. But after the 24-year-old Lebanese tourist posted a video in which she complained of sexual harassment—calling Egypt a lowly, dirty country and its citizens “pimps and prostitutes”—el-Mazbouh was arrested at Cairo’s airport and...

Against all the odds, but with the support of nearly a million Europeans, MEPs voted earlier this month to reject the EU's proposed copyright reform—including controversial proposals to create a new "snippet" right for news publishers, and mandatory copyright filters for sites that published user uploaded content. The...

The hope that filled Egypt's Internet after the 2011 January 25 uprising has long since faded away. In recent years, the country's military government has instead created a digital dystopia, pushing once-thriving political and journalism communities into closed spaces or offline, blocking dozens of websites, and arresting a...

As we reported last week, JURI, the key European Parliamentary committee working on copyright reform, voted on June 20th to support compulsory copyright filters for media platforms (Article 13), and to create a new requirement on websites to obtain a license before linking to news stories (...

“YouTube keeps deleting evidence of Syrian chemical weapon attacks” “Azerbaijani faces terrorist propaganda charge in Georgia for anti-Armenian Facebook post” “Medium Just Took Down A Post It Says Doxed ICE Employees” These are just a sampling of recent headlines relating to the regulation of user-generated online content, an increasingly controversial...

Vint Cerf, Tim Berners-Lee, and Dozens of Other Computing Experts Oppose Article 13 As Europe's latest copyright proposal heads to a critical vote on June 20-21, more than 70 Internet and computing luminaries have spoken out against a dangerous provision, Article 13, that would require Internet platforms to automatically...

The pending update to the EU Copyright Directive is coming up for a committee vote on June 20 or 21 and a parliamentary vote either in early July or late September. While the directive fixes some longstanding problems with EU rules, it creates much, much larger ones: problems so big...

Update: On June 5, 2018, authorities extended Abbas' detention for another fifteen days. We will continue to post updates on his plight here.When we wrote of award-winning journalist Wael Abbas being silenced by social media platforms in February, we never suspected that those suspensions would reach beyond the...

Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated...